Privacy Policy
Introduction, Scope, and Purpose
This Privacy Policy (“Policy”) describes the privacy practices of Solestic Advisory regarding processing Personal Data of Client Data Subjects and – to the extent applicable – the customers of the Client and/or the relevant Client Affiliates as part of the provision of Services to its Clients. Personal Data can be stored in Solestic Advisory systems, Client systems, or third-party systems to which Solestic Advisory provides access to Services. Where Solestic Advisory provides Services to its Client and processes Personal Data on Client’s behalf, Solestic Advisory will act as Processor, and the Client will act as Controller.
The Policy applies globally to any and all Services provided by Solestic Advisory to its Clients under the Service Agreements where Solestic Advisory is acting as Processor, executed on or after the effective date of this Policy.
Solestic Advisory processes Personal Data on behalf of the Client in accordance with Data Protection Laws. Insofar necessary, the Service Agreement will be supplemented with an addendum to set out any matters specific to the Client and cannot be regulated in this Policy.
Personal data processed by Solestic Advisory
Details of the Personal Data that will be processed by Solestic Advisory on behalf of the Client, including the duration, purpose, and types and categories of Personal Data, as well as Subprocessors, if any, will be set out on Solestic Advisory website pages Details of Processing and Subprocessors respectively.
Where additional authorisations or consents are required from the Client Data Subjects under applicable Data Protection Laws to process Personal Data on behalf of the Client, the Client shall collect such authorisation or consent from the Client Data Subjects for the respective processing activity of the Personal Data, as required under Data Protection Laws.
Use of personal data
Solestic Advisory shall not process, transfer, modify, amend, or alter Personal Data or disclose or permit disclosure of Personal Data to any third party other than:
- as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Client, or
- as required to comply with Data Protection Laws or other laws to which Solestic Advisory is subject, in which case Solestic Advisory shall (to the extent permitted by law) inform Client of that legal requirement before processing Personal Data.
In addition, Solestic Advisory is allowed to use aggregated data – to the extent this can no longer be considered Personal Data and which is, therefore, not subject to Data Protection Laws – for analysing purposes, for a website, and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes, for developing and improving Services and products of Solestic Advisory as well as benchmarking.
Subprocessing
Solestic Advisory may be required to appoint certain third parties, including Solestic Advisory Affiliates, to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers.
By signing the Service Agreement, Client authorises Solestic Subprocessors are, in each case, subject to the terms between Solestic Advisory and Subprocessor, which are no less protective than those set out in the Policy and the Service Agreement.
Confidentiality and security
Solestic Advisory shall keep Personal Data confidential and will ensure its staff and Subprocessors are bound by the same confidentiality obligation. Solestic Advisory shall implement appropriate technical and organisational measures to ensure a level of security of Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and shall take all measures required pursuant to Article 32 GDPR (security of processing) and any other more protective corresponding requirement under Data Protection Laws.
In assessing the appropriate level of security, Solestic Advisory shall consider the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
Cooperating with the requests of the client
Solestic Advisory shall, upon request and to the extent required under Data Protection Laws, cooperate with requests of Client that relate to the processing of Personal Data. In particular, Solestic Advisory shall cooperate with requests that relate to Client Data Subject rights, data protection impact assessments, and Data Protection Audit rights as described below.
- Client Data Subject rights: Solestic Advisory shall cooperate as requested by Client to enable the Client to comply with its obligations with any exercise of rights by Client Data Subject in respect of Personal Data and reasonably assist Client in its compliance with any assessment, inquiry, notice or investigation as required under Data Protection Laws. In case the assistance provided by Solestic Advisory to the Client exceeds the reasonable assistance, the Client shall reimburse Solestic Advisory in full for all costs (including for internal resources and any third-party costs) reasonably incurred by Solestic Advisory providing the assistance that exceeds the reasonable limits in performing its obligation to assist Client in its compliance under this section.
- Data protection impact assessment: Solestic Advisory shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Data Protection Laws, including Article 35 GDPR or other corresponding obligations determined by Data Protection Laws, and with any prior consultations to any supervisory authority of the Client which are required under Data Protection Laws, including Article 36 GDPR or other corresponding obligations determined by Data Protection Laws, in each case in relation to Processing of Personal Data by Solestic Advisory on behalf of the Client and taking into account the nature of the processing and information available to Solestic Advisory.
- Audit rights: On reasonable request and notice, Solestic Advisory will cooperate in the conduct of any Data Protection Audit or inspection reasonably necessary to demonstrate Solestic Advisory’s compliance with Processor’s obligations laid down in Data Protection Laws and the Policy related to the Service Agreement, always provided that this requirement will not oblige Solestic Advisory to provide or permit access to information concerning: (i) Solestic Advisory internal pricing information, (ii) information relating to Solestic Advisory’s other Clients, (iii) any of Solestic Advisory non-public external reports, or (iv) any internal reports prepared by Solestic Advisory’s internal audit function.
The Client shall avoid causing any damage, injury, or disruption to Solestic Advisory’s equipment, personnel, and business in the course of such Data Protection Audit or inspection.
A maximum of one Data Protection Audit may be activated under this section in any twelve (12) month period at no additional cost to the Client, unless (i) the audit is following up on a Personal Data Breach caused by Solestic Advisory in the same period, (ii) the Data Protection Audit request made by the Client in the same period would exceed commercially reasonable market audit standard costs and/or (iii) Data Protection Audit request made by the Client in the same period would require allocation of Solestic Advisory internal resources for more than one (1) business day to fulfil the request.
In the foregoing events, Solestic Advisory will promptly notify Client of such additional expected costs in advance, for which Client and Solestic Advisory will agree to such costs prior to initiating the referred Data Protection Audit request. Any further Data Protection Audit within the referred twelve (12) month period shall be at the Client’s expense.
Deletion or return of client personal data
Solestic Advisory will, at the choice of Client, delete or return Personal Data at the end of the provision of the Services involving processing, unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organisation that applies to the Services in the country where those Services are being provided, or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by Solestic Advisory.
Incident management
Solestic Advisory shall notify Client without undue delay after becoming aware of a Personal Data Breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a Personal Data Breach under Data Protection Laws.
Upon request by the Client, Solestic Advisory shall fully cooperate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation, and remediation of each Personal Data Breach to enable the Client to (i) perform a thorough investigation into the Personal Data Breach and provide incident details as required under Data Protection Laws such as Article 33(3) GDPR or other corresponding obligations determined by Data Protection Laws, (ii) formulate a correct response and (iii) take suitable further steps in respect of the Personal Data breach to meet any requirement under the Data Protection Laws (“Remediation Measures”).
If Solestic Advisory caused the Personal Data Breach, Solestic Advisory shall bear the reasonable costs of Remediation Measures taken by Solestic Advisory.
If and to the extent costs incurred by Solestic Advisory related to Remediation Measures as directed by the Client are related to the Personal Data Breach caused by the Client, the Client shall compensate reasonable costs of the Remediation Measures taken by Solestic Advisory. Any costs borne by Solestic Advisory that exceed those reasonable costs for Remediation Measures shall be mutually agreed upon by parties to Service Agreement in advance.
Remediation Measures shall: (i) start without undue delay, (ii) be completed within a reasonable period after Solestic Advisory has become aware of a Personal Data Breach, and (iii) be carried out within the regular business hours of Solestic Advisory where Remediation Measures are required to be taken.
Liability
Client warrants that Personal Data processed by Solestic Advisory on behalf of the Client has been and shall be processed by the Client in accordance with Data Protection Laws, including without limitation:
a. ensuring that all notifications to and approvals from regulators, which Data Protection Laws require, are made and maintained by the Client;
b. ensuring that all Personal Data is processed fairly, lawfully and is accurate and current. The Client provides that fair notice to Client Data Subjects. It describes the processing to be undertaken by Solestic Advisory or its Subprocessors pursuant to the Services agreed upon in the Service Agreement.
Solestic Advisory shall be liable for the damage caused by processing only where it has not complied with obligations of Data Protection Laws directed explicitly to the Processor or where it has acted outside or contrary to the Client’s lawful instructions as indicated in the Service Agreement. Client shall be liable for the damage caused by processing by Client which infringes Data Protection Laws. Solestic Advisory shall be exempt from liability under section 10 of the Policy if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one Controller or Processor, or both Controller and Processor, are involved in the same processing and where they are, under the Service Agreement, responsible for any damage caused to Client Data Subject by processing, each Controller or Processor shall be held liable for the entire damage in order to ensure effective compensation of Client Data Subject(s). Where Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controller(s) or Processor(s) involved in the same processing that part of the compensation corresponding to their part of the responsibility for the damage, in accordance with the conditions set out in the previous paragraph.
Contact us
If you have any queries about Solestic Advisory’s Privacy Policy, please send an email to info@solestic-advisory.com and be sure to indicate the nature of your query.
